Hi guys,

My thoughts here, from a PHP perspective, are as follows:
(I've been on vacation, so sorry I'm a bit late!)

1) Don't be lazy! In the past I know I've been guilty of this, so I'm
guessing that it probably applies to a few other people too. You've only got
a finite number of SQL calls in your application, so would it really hurt to
go through and check them all?

2) Preventing the SQL injection in the first place. PHP has a magical
function called addslashes() which basically does a simple search/replace
through the string, finding all "'\ and NUL bytes, and escaping them by
adding a \ in front of them. If you religiously put all variables that you
are using in the query through this function, then surround the string by
either '' or "" then you're sorted with strings. Different escaping
mechanisms might be necessary for different DB engines (MySQL likes \), but
the general principle is there. If you then run numbers through intval() or
floatval(), then nothing evil can be passed there.

BAD:
"SELECT * FROM table WHERE num=$num AND str='$string'"
GOOD:
"SELECT * FROM table WHERE num=".intval($num)." AND
str='".addslashes($string)."'"

So basically, as I see it, it's a matter of being careful and thorough in
the planning / coding stage rather than something that can be efficiently or
effectively tested after. Obviously if you don't have access to the source
code, it's a slightly different story.

That's my €0.02 :-)

John

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]